Photo Credit: Ingeniørforeningen IDA (ikke flere nye fotos her) Flickr via Compfight cc
Over recent times there has been a relentless pursuit by organisations to use a systematic approach for understanding the breadth and maturity of their information security/cyber capabilities. Most notably, they use frameworks such as the NIST Cyber Security Framework which is certainly the most consistently used cyber control framework to develop a current and target state view of capabilities. Not only is the framework easy to understand, it is pragmatic, easy to communicate and extensive.
The problem, though, is that many organisations dive straight into focusing on just the framework. “How do our controls map to NIST CSF? What maturity are we?” In doing so and communicating the output of that, it often leads to the pursuit of increasing maturity for maturity’s sake. For example, if an organisation finds that it only has a maturity rating of 1 out of a possible 5 for a number of the capability areas, there is a natural temptation to ensure these capabilities reach at least a maturity level of 3 or greater. However, in many instances, there is a missing link between the desired capabilities and to the risk the organisation actually faces.
Think of it like building a car with all its various parts and safety features without really understanding what the car will be used for. Where’s the car going? Who’s going to be in the car? What sort of terrain? How long will it need to travel for? Imagine putting together a fully loaded Rolls Royce when the intention is to drive offroad through the Sahara Desert. Or, putting a child seat in the car when there aren’t any kids?
Controls and capabilities exist in order to treat a risk, and as such, the risk itself needs to be the focal point. What is the risk we’re concerned about? How concerned about it are we? What’s an acceptable level of risk? What’s the priority of risk and our associated treatment? Which control options will deliver us the best risk treatment for the least investment? Once the requirements have been well understand and the purpose of our car well defined, we can then get to work on what capabilities we need and how mature those capabilities need to be.
If you’re well down the path of assessing cyber capability and maturity without linking it back to risk fear not – it’s never too late. Either determine what the risks could be based on the lack of capability/controls and look to align these with the organisation’s risk profile, or if that risk profile already exists, re-align the priorities of the target state capabilities with the organisation’s risk profile. You’ll be back on the road in no time.